cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

350
Views
5
Helpful
2
Replies
Matthew Needs
Beginner

Is ISRg3 IOS-XE PKI/SCEP with OTP enrolment possible?

Hi Guys,

 

I have an ISRg3 WAN running IOS PKI & SCEP with flexVPN which is working well. I have tested the Hub CA with both SCEP 'Grant Auto' and 'Terminal Manual' Spoke enrolment which works great. However, I'm after a halfway house in an ideal world.. I would like to setup SCEP with OTP passwords to authenticate each cert enrolment with a OTP temporary key using the following OTP command at the Hub CA.. The idea is that the OTP is then handed to the spoke router administrator to allow cert enrolment.  

 

crypto pki server cs-label password generate [minutes]

 

Is certainly looks like it is possible to setup on IOS-XE.. But I can't find enough detail or figure out how to actually make it work. Can anyone help please?

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-16-12/sec-pki-xe-16-12-book/sec-cfg-mng-cert-serv.pdf

 

SCEP, which is the only supported enrollment protocol, supports two client authentication mechanisms—manual and preshared key. Manual enrollment requires the administrator at the certification authority (CA) server to specifically authorize the enrollment requests; enrollment using preshared keys allows the administrator to preauthorize enrollment requests by generating a one-time password.

 

Thanks a lot

 

Matt

1 ACCEPTED SOLUTION

Accepted Solutions
Rob Ingram
VIP Mentor

Hi Matt,

Long time no speak, hope you are well?

 

The cisco docs aren't that clear.

On the CA server generate the OTP, the output displays the password, copy and paste the password.

 

111.PNG

On the spoke router enrolling for the certificate you define the OTP under the trustpoint, using the password command - pasting the password from the CA server. Authenticate and enroll as normal, when enrollment takes place it will use the password specified for the SCEP enrollment password.

 

crypto pki trustpoint TEST_CA
password 2B7481F9159FCB54

crypto pki authenticate TEST_CA
crypto pki enroll TEST_CA

If the password is correct the certificate should automatically be approved, the output on the console should confirm this. Run show crypto pki certificates on the spoke router, confirm the status is available.

 

On the CA server you can run debugs - debug pki scep and debug pki server which should shed some light on the enrollments.

 

HTH

View solution in original post

2 REPLIES 2
Rob Ingram
VIP Mentor

Hi Matt,

Long time no speak, hope you are well?

 

The cisco docs aren't that clear.

On the CA server generate the OTP, the output displays the password, copy and paste the password.

 

111.PNG

On the spoke router enrolling for the certificate you define the OTP under the trustpoint, using the password command - pasting the password from the CA server. Authenticate and enroll as normal, when enrollment takes place it will use the password specified for the SCEP enrollment password.

 

crypto pki trustpoint TEST_CA
password 2B7481F9159FCB54

crypto pki authenticate TEST_CA
crypto pki enroll TEST_CA

If the password is correct the certificate should automatically be approved, the output on the console should confirm this. Run show crypto pki certificates on the spoke router, confirm the status is available.

 

On the CA server you can run debugs - debug pki scep and debug pki server which should shed some light on the enrollments.

 

HTH

View solution in original post

Matthew Needs
Beginner

Morning Rob  

 

Great to hear from you. Thanks a lot for providing the missing link.. Everything now works perfectly in my lab, I searched everywhere for that info to no avail.

 

I'm well thanks, I hope you're also well? I'll drop you a message on LinkedIn it would be nice to catch up. 

 

Thanks again

Matt 

 

Content for Community-Ad